Platform
wordpress
Component
xpro-elementor-addons
Fixed in
1.4.25
CVE-2026-2949 is a stored Cross-Site Scripting (XSS) vulnerability in the Xpro Addons — 140+ Widgets for Elementor plugin for WordPress. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages, which execute when a user accesses the injected page. The affected versions are up to and including 1.4.24. The vulnerability is fixed in version 1.4.25.
CVE-2026-2949 affects the Xpro Addons — 140+ Widgets for Elementor plugin for WordPress, exposing a Stored Cross-Site Scripting (XSS) vulnerability via the Icon Box widget in versions up to and including 1.4.24. An authenticated attacker, possessing contributor-level access or higher, can inject arbitrary web scripts into pages. These scripts will execute whenever a user accesses the injected page. This allows attackers to potentially steal sensitive information, redirect users to malicious websites, or perform actions on behalf of the user. The CVSS score of 6.4 indicates a moderate to high risk, particularly for sites with numerous users or handling sensitive data.
An attacker with authenticated access (contributor level or higher) to a WordPress site using Xpro Addons versions 1.4.24 or earlier can exploit this vulnerability. The attack involves injecting malicious JavaScript code through the Icon Box widget. The code is stored in the website's database and executed each time a user visits the page where the script is injected. The lack of proper input sanitization and output encoding allows for this injection. Successful exploitation depends on the attacker's ability to gain authenticated access to the WordPress admin panel.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to update the Xpro Addons plugin to version 1.4.25 or later. This update incorporates the necessary fixes to prevent malicious script injection. Furthermore, review WordPress pages for suspicious content, especially those edited by users with elevated privileges. Enforcing strong password policies and enabling two-factor authentication (2FA) for all administrative users can significantly reduce the risk of unauthorized access. Regular security audits are also recommended to proactively identify and address potential vulnerabilities. Consider using a web application firewall (WAF) to add an extra layer of protection.
Update to version 1.4.25, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
XSS is a type of security vulnerability that allows attackers to inject malicious scripts into websites viewed by other users. These scripts can steal information, redirect users, or perform actions on their behalf.
Authenticated means the attacker must be logged into the WordPress website with an account that has contributor-level or higher privileges.
If you are using Xpro Addons version 1.4.24 or earlier, your website is vulnerable. Update the plugin to the latest version to resolve the issue.
If you suspect your website has been compromised, immediately change all administrator passwords, scan your website for malware, and consider restoring from a clean backup.
Yes, you can implement a strong password policy, enable two-factor authentication (2FA), keep all your plugins and themes updated, and consider using a web application firewall (WAF).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.